Point-to-Point Tunnel Protocol (PPTP) support was added to Cisco
IOS® Software Release 12.0.5.XE5 on the Cisco 7100
and 7200 router platforms. Support for more platforms was added in Cisco IOS
Software Release 12.1.5.T.

Request for Comments (RFC) 2637 describes PPTP. According to this RFC,
the PPTP Access Concentrator (PAC) is the client (that is, the PC or the
caller) and the PPTP Network Server (PNS) is the server (that is, the router or
the device being called).

This document assumes that you have set up PPTP connections to the
router with local Microsoft-Challenge Handshake Authentication Protocol
(MS-CHAP) V1 authentication (and optionally Microsoft Point-to-Point Encryption
[MPPE] which requires MS-CHAP V1) using these documents, and that they are
already working. Remote Authentication Dial-In User Service (RADIUS) is
required for MPPE encryption support; TACACS+ works for authentication, but not
for MPPE keying.

This configuration uses Microsoft IAS installed on a Windows 2000
advanced server as the RADIUS server.

The information presented in this document was created from devices in
a specific lab environment. All of the devices used in this document started
with a cleared (default) configuration. If you are working in a live network,
ensure that you understand the potential impact of any command before using
it.

This sample configuration demonstrates how to set up a PC to connect to
the router (at the address 10.200.20.2), which then authenticates the user to
Microsoft's Internet Authentication Server (IAS) (at 10.200.20.245) before
allowing the user into the network. PPTP support is available with Cisco Secure
Access Control Server (ACS) Version 2.5 for Windows. However, it may not work
with the router due to Cisco Bug ID CSCds92266. If you are using Cisco Secure,
we recommend using Cisco Secure Version 2.6 or above. Cisco Secure UNIX does
not support MPPE. Two other RADIUS applications with MPPE support are Microsoft
RADIUS and Funk RADIUS.

This section shows how to configure the Windows 2000 advanced server
for Microsoft IAS:

Ensure that Microsoft IAS is installed. To install Microsoft IAS,
log in as an administrator. Under Network Services, verify
that all check boxes are cleared. Select the Internet Authentication Server
check box and then click OK.

Unlike Cisco Secure, The Windows 2000 RADIUS user database is tightly
bound to the Windows user database. In case an Active
Directory is installed on your Windows 2000 server, create your new
dial-up users from Active Directory Users and Computers. If
Active Directory is not installed, use Local Users and
Groups from Administrative tools to create new users.

Configuring Users If No Active Directory is Installed

This section shows the steps to configure users if no active directory
is installed:

From the Administrative Tools section, click on
Computer Management. Expand the Computer
Management console and click on Local Users and
Groups. Right-click on the Users scroll bar to select
New User. Create a new user called tac.

Type a password in the Password and
Confirm Password dialog boxes.

Clear the User Must Change Password at Next Logon
option and click Next.

Open the new user called tac's
Properties box. Switch to the Dial-in tab. Under
Remote Access Permission (Dial-in or VPN), click Allow
Access, then click OK.

The section below shows the steps to configure the Windows 2000 client
for PPTP:

From the Start menu, select
Settings, then either:

Control Panel and Network and Dial-up
Connections, or

Network and Dial-up Connections then
Make New Connection.

Use the Wizard to create a connection called
PPTP. This connection connects to a private network through
the Internet. You also need to specify the PPTP Network Server (PNS) IP address
or name.

The new connection appears in the Network and Dial-up
Connections window under Control Panel.

From here, click on the right hand mouse button to edit its
properties. Under the Networking Tab, make sure that the
Type of Server I Am Calling field is set to PPTP. If you plan
to allocate a dynamic internal address to this client from the gateway, either
via a local pool or Dynamic Host Configuration Protocol (DHCP), select
TCP/IP protocol, and make sure the client is configured to
obtain an IP address automatically. You may also issue DNS information
automatically.

The Advanced button allows you to define static
Windows Internet Naming Service (WINS) and DNS information.

The Options tab allows you to turn off IPSec or
assign a different policy to the connection.

Under the Security tab, you can define the user
authentication parameters. For example, PAP, CHAP or MS-CHAP, or Windows domain
logon. Once the connection is configured, you can double click on it to display
the login screen and then connect.

Using the following router configuration, the user is able to connect
with username tac and password admin even if
the RADIUS server is unavailable (this is possible when the Microsoft IAS is
yet to be configured). The following sample configuration outlines the commands
required for L2tp without IPSec.

debug vpdn events - Displays messages
about events that are part of normal tunnel establishment or shutdown.

debug vpdn errors - Displays errors that
prevent a tunnel from being established or errors that cause an established
tunnel to be closed.

debug vpdn packets - Displays each
protocol packet exchanged. This option may result in a large number of debug
messages and should generally only be used on a debug chassis with a single
active session.

Let us assume the gateway router is an ISP Router. When the PPTP tunnel
comes up on the PC, the PPTP route is installed with a higher metric than the
previous default, so we lose Internet connectivity. To remedy this, modify the
Microsoft routing to delete the default and reinstall the default route (this
requires knowing the IP address the PPTP client has been assigned; for the
current example, this was 172.16.10.1):

Under the Security tab on the dial-up connection used
for the PPTP session, you can define the user authentication parameters. For
example, this can be PAP, CHAP, MS-CHAP, or Windows domain logon. If you have
chosen the No Encryption Allowed (server disconnects if it
requires encryption) option in the Properties section of the
VPN connection, you may see a PPTP Error message on the client: